SA can't access GCP bucket

Summary

The server log indicates that the Service Account (SA) does not have the necessary permissions to access the Google Cloud Storage bucket. The error message specifically mentions that the SA lacks ‘storage.objects.list’ access to the bucket.


Question

Hi , I got the server log shows the SA can’t access the GCP bucket, who can help to check this log? version 0.57.2

GET <https://storage.googleapis.com/storage/v1/b/airbyte-storage/o?prefix=job-logging/workspace/b6713750-f1c7-4630-87ee-adf0f94357a6/0/logs.log&amp;projection=full>
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "<mailto:k8s-airbyte-admin-new@gcp-project.iam.gserviceaccount.com|k8s-airbyte-admin-new@gcp-project.iam.gserviceaccount.com> does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).",
    "reason" : "forbidden"
  } ],
  "message" : "<mailto:k8s-airbyte-admin-new@gcp-project.iam.gserviceaccount.com|k8s-airbyte-admin-new@gcp-project.iam.gserviceaccount.com> does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist)."
}
	at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:146) ~[google-api-client-2.2.0.jar:2.2.0]
	at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:118) ~[google-api-client-2.2.0.jar:2.2.0]
	at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:37) ~[google-api-client-2.2.0.jar:2.2.0]
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$3.interceptResponse(AbstractGoogleClientRequest.java:466) ~[google-api-client-2.2.0.jar:2.2.0]
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1111) ~[google-http-client-1.43.3.jar:1.43.3]
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:552) ~[google-api-client-2.2.0.jar:2.2.0]
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:493) ~[google-api-client-2.2.0.jar:2.2.0]
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:603) ~[google-api-client-2.2.0.jar:2.2.0]
	at com.google.cloud.storage.spi.v1.HttpStorageRpc.list(HttpStorageRpc.java:431) ~[google-cloud-storage-2.17.2.jar:2.17.2]
	... 28 more```

<br>

---

This topic has been created from a Slack thread to give it more visibility.
It will be on Read-Only mode here. [Click here](https://airbytehq.slack.com/archives/C021JANJ6TY/p1715167032037029) if you want to access the original thread.

[Join the conversation on Slack](https://slack.airbyte.com)

<sub>
["server-log", "sa", "gcp-bucket", "google-cloud-storage", "permission-denied"]
</sub>